Content uploaded by Kasper Svendsen
Author content
All content in this area was uploaded by Kasper Svendsen on Mar 28, 2014
Content may be subject to copyright.
Partiality, State and Dependent Types
Kasper Svendsen1, Lars Birkedal1, and Aleksandar Nanevski2
1IT University of Copenhagen {kasv,birkedal}@itu.dk
2IMDEA Software aleks.nanevski@imdea.org
Abstract. Partial type theories allow reasoning about recursively-defined computations using fixed-
point induction. However, fixed-point induction is only sound for admissible types and not all types are
admissible in sufficiently expressive dependent type theories.
Previous solutions have either introduced explicit admissibility conditions on the use of fixed points,
or limited the underlying type theory. In this paper we propose a third approach, which supports Hoare-
style partial correctness reasoning, without admissibility conditions, but at a tradeoff that one cannot
reason equationally about effectful computations. The resulting system is still quite expressive and
useful in practice, which we confirm by an implementation as an extension of Coq.
1 Introduction
Dependent type theories such as the Calculus of Inductive Constructions [2] provide powerful languages
for integrated programming, specification, and verification. However, to maintain soundness, they typically
require all computations to be pure and terminating, severely limiting their use as general purpose program-
ming languages.
Constable and Smith [9] proposed adding partiality by introducing a type τof potentially non-
terminating computations of type τ, along with the following fixed point principle for typing recursively
defined computations:
if M:τ→ τthen fix(M) : τ
Unfortunately, in sufficiently expressive dependent type theories, there exists types τfor which the above
fixed point principle is unsound [10]. For instance, in type theories with subset-types, the fixed point principle
allows reasoning by a form of fixed point induction, which is only sound for admissible predicates (a predicate
is admissible if it holds for the limit whenever it holds for all finite approximations). Previous type theories
based on the idea of partial types which admit fixed points have approached the admissibility issue in roughly
two different ways:
1. The notion of admissibility is axiomatized in the type theory and explicit admissibility conditions are
required in order to use fix. This approach has, e.g., been investigated by Crary in the context of Nuprl [10].
The resulting type theory is expressive, but admissibility conditions lead to significant proof obligations, in
particular, when using Σtypes.
2. The underlying dependent type theory is restricted in such a way that one can only form types that are
trivially admissible. This approach has, e.g., been explored in recent work on Hoare Type Theory (HTT) [21].
The restrictions exclude usage of subset types and Σtypes, which are often used for expressing properties of
computations and for modularity. Another problem with this approach is that since it limits the underlying
dependent type theory one cannot easily implement it as a simple extension of existing implementations.
In this paper we explore a third approach, which ensures that all types are admissible, not by limiting
the underlying standard dependent type theory, but by limiting only the partial types. The limitation on
partial types consists of equating all effectful computations at a given type: if Mand Nare both of type
τ, then they are propositionally equal. Thus, with this approach, the only way to reason about effectful
computations is through their type, rather than via equality or predicates. With sufficiently expressive types,
the type of an effectful computation can serve as a partial correctness specification of the computation. Our
hypothesis is that this approach allows us to restrict attention to a subset of admissible types, which is closed
under the standard dependent type formers and which suffices for reasoning about partial correctness.
To demonstrate that this approach scales to expressive type theories and to effects beyond partiality,
we extend the Calculus of Inductive Constructions (CIC) [2] with stateful and potentially non-terminating
computations. Since reasoning about these effectful computations is limited to their type, our partial types are
further refined into a Hoare-style partial correctness specifications, and have the form ST τ(P, Q), standing
for computations with pre-condition P, post-condition Q, that diverge or terminate with a value of type τ.
The resulting type theory is an impredicative variant of Hoare Type Theory [17], which differs from
previous work on Hoare Type Theory in the scope of features considered and the semantic approach. In
particular, this paper is the first to clarify semantically the issue of admissibility in Hoare Type Theory.
Impredicative Hoare Type Theory (iHTT) features the universes of propositions (prop), small types
(set), and large types (type), with prop included in set,set included in type, and axioms prop:type and
set:type. The prop and set universes are impredicative, while type is predicative. There are two main
challenges in building a model to justify the soundness of iHTT: (1) achieving that Hoare types are small
(ST τ s :set), which enables higher-order store; that is, storing side-effectful computations into the heap,
and (2) supporting arbitrary Σtypes, and more generally, inductive types. In this respect iHTT differs
from the previous work on Hoare Type Theory, which either lacks higher-order store [19], lacks strong Σ
types [21], or whose soundness has been justified using specific syntactic methods that do not scale to fully
general inductive definitions [17, 18].
The model is based on a standard realizability model of partial equivalence relations (PERs) and as-
semblies over a combinatory algebra A. These give rise to a model of the Calculus of Constructions [14],
with set modelled using PERs. Restricting PERs to complete PERs (i.e., PERs closed under limits of ω-
chains) over a suitable universal domain, allows one to model recursion in a simply-typed setting [4], or in
a dependently-typed setting, but without strong Σtypes [21].
Our contribution is in identifying a set of complete monotone PERs that are closed under Σtypes and
Hoare types. Complete PERs do not model Σtypes because, given a chain of dependent pairs, in general,
due to dependency, the second components of the chain are elements of distinct complete PERs. To apply
completeness, we need a fixed single complete PER. Monotonicity will equate the first components of the
chain and give us the needed single complete PER for the second components. Monotonicity further forces a
trivial equality on Hoare types, equating all effectful computations satisfying a given specification. However,
it does not influence the equality on the total, purely functional, fragment of iHTT, ensuring that we still
model CIC. This is sufficient for very expressive Hoare-style reasoning, and avoids admissibility conditions
on the use of fix.
As iHTT is an extension of CIC, we have implemented iHTT as an axiomatic extension of Coq [1].
The implementation is carried out in Ssreflect [12] (a recent extension of Coq), based on the previous
implementation of predicative Hoare Type Theory [19]. The implementation is available at:
http://www.itu.dk/people/kasv/ihtt.tgz.
2 Hoare types by example
To illustrate Hoare types, we sketch a specification of a library for arrays in iHTT. We assume that array
indexes range over a finite type ι:setf in, that the elements of ιcan be enumerated as ι0, ι1, . . . , ιn, and that
equality between these elements can be decided by a function
:ι→ι→bool.
Each array is implemented as a contiguous block of locations, each location storing a value from the
range type τ:set. The space occupied by the array is uniquely determined by ι,τ, and the pointer to the
first element, justifying that the array type be defined as this first pointer.
array :setfin →set →set =λι. λτ. ptr.
Here, ptr is the type of pointers, which we assume isomorphic to nat. Each array is essentially a stateful
implementation of some finite function f:ι→τ. To capture this, we define a predicate indexed by f, that
describes the layout of an array in the heap.
shape : (array ι τ)→(ι→τ)→heap →prop =
λa. λf. λh. h =a7→ f ιo•a+1 7→ f ι1• · · · • a+n7→ f ιn.
2
In other words, hstores an array a, representing a finite function f, if shape a f h holds, that is, if hconsists
of n+1 consecutive locations a,a+1, . . . , a+n, storing f ι0, f ι1, . . . , f ιn, respectively. The property is stated
in terms of singleton heaps a+k7→ f ιk, connected by the operator •for disjoint heap union. Later in the
text, we will also require a constant empty denoting the empty heap.
The type of arrays comes equipped with several methods for accessing and manipulating the array
elements. For example, the method for reading the value at index k:ιcan be given the following type.
read :Πa:array ι τ. Π k:ι.
ST τ(λh. ∃f. shape a f h,
λr. λh. λm. ∀f. shape a f h →r=f k ∧m=h)
Informally, read a k is specified as a stateful computation whose precondition permits the execution only in
a heap hwhich stores a valid array at adress a(∃f. shape a f h). The postcondition, on the other hand,
specifies the result of executing read a k as a relation between output result r:τ, input heap hand output
heap m. In particular, the result ris indeed the array value at index k(r=f k), and the input heap is
unchanged (m=h).
Unlike in ordinary Hoare logic, but similar to VDM [6], our postcondition is parametrized wrt. both input
and the output heaps in order to directly express the relationship between the two. In particular, when this
relationship depends on some specification-level value, such as fabove, the dependency can be expressed by
an ordinary propositional quantification.
Hoare types employ small footprint specifications, as in separation logic [20], whereby the specifications
only describe the parts of the heap that the computation traverses. The untraversed parts are by default
invariant. To illustrate, consider the type for the method new that generates a fresh array, indexed by ι, and
populated by the value x:τ.
new :Πx:τ. ST (array ι τ) (λh. h =empty, λa. λh. λm. shape a(λz. x)m)
The type states not that new xcan only run in an empty heap, but that new xchanges the empty subheap
of the current heap into a heap mcontaining an array rooted at aand storing all x’s. In other words, new is
adding fresh pointers, and the resulting array aitself is fresh. On the other hand, unlike in separation logic,
we allow that the specifications can directly use and quantify over variables of type heap. For completeness,
we next simply list without discussion the types of the other methods for arrays.
new from fun :Πf:ι→τ . ST (array ι τ) (λh. h =empty, λa h m. shape a f m)
free :Πa:array ι τ. ST unit (λh. ∃f. shape a f h, λr h m. m =empty)
write :Πa:array ι τ. Π k:ι. Πx:τ.
ST unit (λh. ∃f. shape a f h, λr h m. ∀f. shape a f h →
shape a(λz. if z
kthen xelse f(z)) m)
At this point, we emphasize that various type theoretic abstractions are quite essential for practical work with
Hoare types. The usefulness of Πtypes and the propositional quantifiers is apparent from the specification
of the array methods. But the ability to structure specification is important too. For example, we can pair
pre- and postconditions into a type spec τ= (heap →prop)×(τ→heap →heap →prop), which is then
used to specify the fixpoint combinator.
fix :Πα:set. Πβ:α→set. Πs:Π x. spec (β x).
(Πx. ST (β x) (s x)→Πx. ST (β x) (s x)) →Π x. ST (β x) (s x).
Structuring proofs and specifications with programs is also necessary, and is achieved using dependent records
(i.e., Σtypes), which we illustrate next.
The first example of a dependent record is the setfin type. This is an algebraic structure containing the
carrier type σ, the operation
for deciding equality on σ, and a list enumerating σ’s elements. Additionally,
setfin needs proofs that
indeed decides equality, and that the enumeration list contains each element exactly
3
once. Using the record notation [x1:τ1,...xn:τn] instead of the more cumbersome Σx1:τ1. . . Σ xn:τn.1, the
setfin type is defined as follows.
setfin = [ σ:set,enum :list σ,
:σ→σ→bool,
eqp :∀x y:σ. x
y=true ⇐⇒ x=y,
enump :∀x:σ. count xenum = 1]
The above dependent record refines a type. In practice, we will also use records that refine values. For example,
in programming, arrays are often indexed by the type of bounded integers In= [x:nat,boundp :x≤n]. In
can be extended with appropriate fields, to satisfy the specification for setf in, but the important point here
is that the elements of Inare dependent records containing a number xand a proof that x≤n. Of course,
during actual execution, this proof can be ignored (proofs are computationally irrelevant), but it is clearly
important statically, during verification.
Finally, the library of arrays itself can be ascribed a signature which will serve as an interface to the
client programs. This signature too is a dependent record, providing types for all the array methods. Just as
in the case of setf in and In, the signature may also include properties, similar to object invariants [13,15].
For example, we have found it useful in practice to hide from the clients the definitions of the array type and
the array shape predicate, but expose that two arrays in stable states; that is, between two method calls,
stored in compatible heaps must be equal (i.e., that the shape predicate is “functional”):
functional :Πshape.∀a1a2f1f2h1h2.shape a1f1h1→shape a2f2h2→
(∃j1j2. h1•j1=h2•j2)→a1=a2∧f1=f2∧h1=h2.
Then the signature for arrays indexed by ι, containing values of type τ, is provided by the following dependent
record parametrized by ιand τ.
ArraySig =Πι:setfin. Πτ :set.
[array :set,shape :array →(ι→τ)→heap →prop,
funcp :functional shape,read :Πa:array. Πk:ι. . . .].
Therefore, Σtypes are central for building verified libraries of programs, specifications and proofs.
3 Semantics
In this section we present a model for impredicative Hoare Type Theory. We will introduce the relevant parts
of iHTT as the model is defined. The full type theory is defined in Appendix A. In presenting the model, we
first focus on the set-universe, and then scale up to cover all of iHTT.
Since the purely-function fragment of IHTT is terminating, we take our universe of realizers to be a
universal pre-domain with a suitable sub-domain for modelling stateful and potentially non-terminating
computations.
Definition 1. Let Vdenote a pre-domain satisfying the following recursive pre-domain equation:
V∼
=1 + N+ (V×V)+(V→cV⊥) + T(V) + H(V)
where →cis the space of continuous functions and
T(V)def
=H(V)→c((V×H(V)) + 1)⊥
H(V)def
={h:ptr →cV⊥|supp(h)finite ∧h(null) = ⊥}
supp(h:ptr →V⊥)def
={l∈ptr |h(l)6=⊥}
4
The first four summands of Vmodel the underlying dependent type theory, and T(V)and H(V)model
computations and heaps, respectively. The ordering on T(V)is the standard pointwise order and the ordering
on H(V)is as follows:
h1≤h2iff supp(h1) = supp(h2)∧ ∀n∈supp(h1). h1(n)≤h2(n)
Let in1, inN, in×, in→, inT, and inHdenote injections into Vcorresponding to each of the above summands.
Vdefines a partial combinatory algebra (PCA) with the following partial application operator:
Definition 2. Let ·:V×V*Vdenote the function,
a·b=(f(b)if a=in→(f)∧f(b)6=⊥
undef otherwise
We recall some notation and definitions. If R⊆A×Ais a PER then its domain, denoted |R|, is
{x∈A|(x, x)∈R}. If R, S ⊆A×Aare PERs, then R→Sis the PER {(α, β)∈A×A| ∀x, y ∈A. (x, y)∈
R⇒(α·x, β ·y)∈S}. If R⊆A×Ais a PER and f:A→Bthen f(R) denotes the PER {(f(x), f (y)) |
(x, y)∈R} ⊆ B×B. For a subset X⊆A, we use ∆(X) to denote the PER {(x, y)|x∈X∧y∈X}. Lastly,
if R⊆A×Ais a PER, we use [R] to denote the set of Requivalence classes.
Definition 3 (Per(A)). The category of PERs, Per(A), over a partial combinatory algebra (A, ·), has PERs
over Aas objects. Morphisms from Rto Sare set-theoretic functions f: [R]→[S], such that there exists a
realizer α∈Asuch that,
∀e∈ |R|.[α·e]S=f([e]R)
Per(V) is cartesian closed and thus models simple type theory. To model recursion, note that a realized
set-theoretic function is completely determined by its realizers (i.e., Per(V)(R, S)∼
=[R→S]) and that we
have the standard least fixed-point operator on the sub-domain of computations of V. This lifts to a least
fixed-point operator on those PERs that are admissible on the sub-domain of computations:
Definition 4.
1. A PER R⊆A×Aon a pre-domain Ais complete if, for all chains (ci)i∈Nand (di)i∈Nsuch that
(ci, di)∈Rfor all i, also (tici,tidi)∈R.
2. A PER R⊆A×Aon a domain Ais admissible if it is complete and ⊥∈|R|.
Let CPer(A)and AdmPer(A)denote the full sub-categories of Per(A)consisting of complete PERs and
admissible PERs, respectively.
Definition 5. Define u:V→c(T(V)→cT(V)) as follows,
u(x)(y)def
=(zif x·inT(y) = inT(z)
⊥otherwise
and let lfp denote the realizer in→(λx. [inT(tn(u(x))n)]).
Lemma 1. Let R∈AdmPer(T(V)), then
lfp ∈ |(inT(R)→inT(R)) →inT(R)|
and for all α∈ |inT(R)→inT(R)|,
α·(lfp ·α)inT(R)lfp ·α
Proof. See Lemma 6 in Appendix C.1, which generalizes the fixed point operator to impredicative Πtypes
into an admissible PER.
5
The above development is standard and suffices to model fixed points over partial types in a non-stateful,
simply-typed setting. However, it does not extend directly to a stateful dependently-typed setting: Assume
`τ:type and x:τ`σ:type. Then τis interpreted as a PER R∈Per(V), and σas an [R]-indexed family
of PERs S∈[R]→Per(V), and `Σx :τ.σ :type as the PER ΣR(S):
ΣR(S) = {(in×(a1, b1), in×(a2, b2)) |a1R a2∧b1S([a1]R)b2}.
In general, this PER is not chain-complete even if Rand each Sxis: given a chain (ai, bi)i∈N, we do not
know in general that [ai]R= [aj]Rand hence cannot apply the completeness of Sxto the chain (bi)i∈Nfor
any x∈[R].
To rectify this problem we impose the following monotonicity condition on the PERs, which ensures
exactly that aiR aj, for all i, j ∈N, and hence that ΣR(S) is chain-complete.
Definition 6 (CMPer(A)). A PER R⊆A×Aon a pre-domain Ais monotone if, for all x, y ∈ |R|such
that x≤y, we have (x, y)∈R. Let CMPer(A)denote the full sub-category of Per(A)on the complete
monotone PERs.
Restricting to complete monotone PERs forces a trivial equality on any particular Hoare type, as all of
the elements of the type have to be equal to the diverging computation. However, it does not trivialize the
totality of Hoare types, as we can still interpret each distinct Hoare type, ST τ s, as a distinct PER R,
containing the computations that satisfy the specification s.
Restricting to complete monotone PERs does not collapse the equality on types in the purely functional
fragment of iHTT, as these types are all interpreted as PERs without a bottom element in their domain. In
particular, Π-types, which are modelled as elements of V→V⊥, picks out only those elements that map to
non-bottom on their domain.
We shall see later that the monotonicity condition is also used to interpret partial types with a post-
condition, which induces a dependency similar to that of Σtypes, in the semantics of partial types.
3.1 iHTT
So far, we have informally introduced a PER model of a single dependent type universe extended with partial
types. The next step is to scale the ideas to a model of all of iHTT, and to prove that we do indeed get a
model of iHTT. We start by showing that CMPERs and assemblies form a model of the underlying dependent
type theory. Next, we sketch the interpretation of iHTT specific features such as heaps and computations in
the model. Lastly, we show that the model features W-types at both the set and type universe.
Underlying DTT. We begin by defining a general class of models for the dependent type theory underlying
iHTT, and then present a concrete instance based on complete monotone PERs.
To simplify the presentation and exploit existing categorical descriptions of models of the Calculus of
Constructions, the model will be presented using the fibred approach of [14]. To simplify the definition of
the interpretation function, we consider a split presentation of the model (i.e., with canonical choice of all
fibred structure, preserved on-the-nose).
Definition 7 (Split iHTT structure). A split iHTT structure is a structure
C D E B→
B B
Iel
Iprf P
q
r
such that
–Pis a split closed comprehension category,
6
–Iel and Iprf are split fibred reflections
–the coproducts induced by the Iel reflection are strong (i.e., P ◦ Iel is a split closed comprehension
category), and
–there exists objects Ωel , Ωprf ∈E1such that {Ωel}is a split generic object for the qfibration and {Ωprf}
is a split generic object for the rfibration, where {−} = Dom ◦ P :E→B.
The idea is to model contexts in B, and the three universes, prop,set, and type in fibres of C,Dand
E, respectively. The split closed comprehension category structure models unit, Πand Σtypes in the type
universe. The split fibred reflections models the inclusion of prop into set and set into type and induces
unit, Πand weak Σtypes in prop and set. Lastly, the split generic objects models the axioms prop :type
and set :type, respectively.
The concrete model we have in mind is mostly standard: the contexts and the type universe will be
modelled with assemblies, the set universe with complete monotone PERs, and the prop universe with
regular subobjects of assemblies. We begin by defining a category of uniform families of complete monotone
PERs. Uniformity refers to the fact that each morphism is realized by a single α∈V.
Definition 8 (UFam(CMPer(A))).
–Objects are pairs (I , (Si)i∈|I|)where I∈Asm(V)and each Si∈CMPer(V).
–Morphisms from (I, Si)to (J, Tj)are pairs (u, (fi)i∈|I|)where
u:I→J∈Asm(V)and fi: [Si]→[Tu(i)]
such that there exists an α∈Vsatisfying
∀i∈ |I|.∀ei∈EI(i).∀ev∈ |Si|. α ·ei·ev∈fi([ev]Si)
Recall [14] that the standard category UFam(Per(A)) is defined in the same manner, using all PERs instead
of only the complete monotone ones.
Let RegSub(Asm(V)) denote the standard category of regular subobjects of assemblies and UFam(Asm(V))
the standard category of uniform families of assemblies (see [14] for a definition). There is a standard
split fibred reflection of UFam(Per(A)) into UFam(Asm(A)): the inclusion views a PER Ras the assem-
bly ([R], id[R]) [14]. This extends to a split fibred reflection of UFam(CMPer(A)) into UFam(Asm(V)) by
composing with the following reflection of UFam(CMPer(A)) into UFam(Per(A)).
Lemma 2. The inclusion I: UFam(CMPer(A)) →UFam(Per(A)) is a split fibred reflection.
Proof (Sketch). We show that CMPer(A) is a reflective sub-category of Per(A); the same construction applies
to uniform families, by a point-wise lifting. The left-ajoint, R: Per(A)→CMPer(A) is given by monotone
completion:
R(S) = SR([α]R→S) = [α]R→S
where Rdef
=T{S∈CMPer(V)|R⊆S}for a PER R∈Per(V).
Let S∈Per(A) and T∈CMPer(A). Since the underlying realizers are continuous functions, we have
that (see Lemma 7 in Appendix C)
S→T=S→T
which induces the adjoint-isomorphism:
CMPer(A)(R(S), T )∼
=[S→T]=[S→T]∼
=Per(A)(S, I(T))
Lemma 3. The coproducts induced by the Iel : UFam(CMPer(V)) →UFam(Asm(V)) reflection are strong.
7
Proof. Let I∈Asm(V), X∈UFam(CMPer(V))Iand Y∈UFam(CMPer(V)){X}. Then the induced coprod-
uct, ΣX(Y), is given by the family of complete monotone PERs,
ΣX(Y) =
(α, β)| ∃x, y ∈a
x∈[Xi]
[Y(i,x)]. α ∈E`i(x)∧β∈E`i(y)∧x∼iy
i∈|I|
where
E`i(a, b) = {in×(d, e)|d∈a∧b∈e}
x ^iyiff E`i(x)∩E`i(y) = ∅
and ∼iis the transitive closure of ^i.
Since Iel(X) and Iel (Y) are modest sets, ^iis the equality relation on `x∈[Xi][Y(i,x)], and the above
PER thus reduces to the monotone completion of the standard PER interpretation of Σtypes.
ΣX(Y)=({(in×(a1, b1), in×(a2, b2)) |a1Xia2∧b1Y(i,[a1]Xi)b2})i∈|I|
Since each Xiand each Y(i,x)is a complete monotone PER, the standard PER interpretation of Σtypes is
already a complete monotone PER (see Lemma 8 in Appendix C) and thus,
ΣX(Y)=({(in×(a1, b1), in×(a2, b2)) |a1Xia2∧b1Y(i,[a1]Xi)b2})i∈|I|
The coproducts thus coincide with the coproducts induced by the UFam(Per(V)) →UFam(Asm(V))
reflection, which are strong [14, Section 10.5.8].
Theorem 1. The diagram below forms a split iHTT structure.
RegSub(Asm(V)) UFam(CMPer(V)) UFam(Asm(V)) Asm(V)→
Asm(V) Asm(V)
Interpretation. Except for impredicative Σtypes and the axiom set :type, the interpretation of the
underlying dependent type theory in the above concrete split iHTT structure is exactly the standard PER-
assembly interpretation. The type set is interpreted as the set of complete monotone PERs over V, instead
of the set of all PERs over V. Impredicative Σtypes are interpreted as the monotone completion of the
standard PER-assembly interpretation. For completeness, we have written out the concrete interpretation
of the underlying dependent type theory in Appendix B.
As terms generally have multiple typing derivations in dependent type theories, the interpretation function
is typically defined as a partial function on pre-terms and pre-contexts, and later shown to be defined on
well-typed terms and contexts [23]. Formally, the interpretation is given by three mutually recursive partial
functions,
[[−]]Ctx : Ctx * obj(Asm(V))
[[−]]Type : Ctx ×Term * obj(UFam(Asm(V)))
[[−]]Term : Ctx ×Term * hom(UFam(Asm(V)))
where Ctx is the set of pre-contexts and Term the set of pre-terms (defined in Appendix A.1), such that,
[[Γ`A]]Type ∈UFam(Asm(V))Ctx
[[Γ]]
[[Γ`M]]Term ∈UFam(Asm(V))Ctx
[[Γ]] (1[[Γ]]Ctx ,[[Γ`A]]Type)
8
for well-typed types, Γ`A:type, and well-typed terms, Γ`M:A. Terms of small types, Γ`M : el(τ),
are thus interpreted as morphisms in UFam(CMPer(V)) fibres as follows:
[[Γ`M : el(τ)]]Term ∈UFam(Asm(V))I(1I , [[Γ`el(τ)]]Type)
= UFam(Asm(V))I(1I, Iel([[Γ`τ]]Term))
∼
=UFam(CMPer(V))I(1I, [[Γ`τ]]Term)
where I= [[Γ]]Ctx. Furthermore, global sections in UFam(CMPer(V)) fibres are uniquely determined by their
realizers:
UFam(CMPer(V))I(1I, X )∼
=
\
i∈|I|
∆(EI(i)) →Xi
for I∈Asm(V) and X∈UFam(CMPer(V))I. We can thus define the interpretation of terms of small types
by giving the underlying realizer. This is the view we will employ when defining the interpretation of the
basic computations of iHTT.
Heaps. Pre- and post-conditions in iHTT are expressed as predicates over a type heap, of heaps. In addition
to a constant denoting the empty heap, this type features the following operations: upd,free,max,dom,
and peek.upd and free updates and frees the value at a given location, respectively. peek returns the value
(if any) at a given location. dom decides whether a given location is allocated and max returns the largest
allocated location (and 0 for the empty heap). The max operation allows one to define a recursion operator
on heaps. From these low-level operations we can define the high-level operations such as points-to (7→) and
disjoint union (•) used in Section 2.
heap is a large type (i.e., heap :type). The types of the built-in operations are as follows.
empty :heap
upd :Πτ :set.heap →el(nat)→el(τ)→heap
free :heap →el(nat)→heap
max :heap →el(nat)
dom :heap →el(nat)→bool
peek :heap →el(nat)→el(1) + (Στ :set.el(τ))
We use h[m7→τv] as shorthand for upd τ h m v and h\mas shorthand for free h m. These operations
satisfy the heap axioms in Appendix A.11, which include several axioms relating the basic operations in
addition to an induction principle and an extensionality principle for heaps.
We would like to model the values of heap as elements of H(V). However, with this interpretation of
heap we cannot interpret the update operation, h[m7→τv], as the definition would not be independent of
the choice of realizer for v. Rather, we introduce a notion of a world, which gives a notion of heap equivalence
and interpret a heap as a pair consisting of a world and an equivalence class of heaps in the given world. A
world is a finite map from locations to small semantic types:
Wdef
=ptr fin
*CMPer(V)
and two heaps h1, h2∈H(V) are considered equivalent in a world w∈Wiff their support equals the domain
of the world and their values are point-wise related by the world:
h1∼wh2iff supp(h1) = supp(h2) = Dom(w)∧ ∀l∈Dom(w). h1(l)w(l)h2(l)
9
A typed heap is then a pair consisting of a world and an equivalence class of domain-theoretic heaps,
Ht
def
=a
w∈W
[∼w]
and heap is interpreted as the set of typed heaps with the underlying domain-theoretic heaps as realizers:
[[Γ`heap]]Type = (Ht,(w, U)7→ inH(U))i∈|I|
for I= [[Γ]]Ctx. That is, for each i, we have the assembly with underlying set Htand with realizability map
Ht→P(V) given by (w, U)7→ inH(U). The realizers themselves do not have to contain any typing informa-
tion, as we interpret small types with trivial realizability information (i.e., [[Γ`set :type]] = ∇(CMPer(V))).
Let I= [[Γ]], then
[[Γ`empty]]Term
i= ([],{[]})
[[Γ`upd]]Term
i(R)(w, [h]w)([n])([v]) = (w[n7→ R],[h[n7→ v]]w[n7→R])
[[Γ`free]]Term
i(w, [h]w)([n]) = (w|dom(w)\n,[h|dom(w)\n])
[[Γ`max]]Term
i(w, [h]w)=[inN(max{n∈N|h(n)6=⊥ ∨ n= 0})]
[[Γ`dom]]Term
i(w, [h]w)([n]) = ([inN(0)] if w(n) defined
[inN(1)] otherwise
[[Γ`peek]]Term
i(w, [h]w)([n]) = (inl(w(n),[h(n)]w(n)) if w(n) defined
inr([∗]) otherwise
In the interpretation of update, the world is used to ensure that the interpretation is independent of the choice
of realizer vfor N2. Since the underlying domain-theoretic heaps do not contain any typing information,
the world is also used in the interpretation of peek, to determine the type of the value stored at the given
location.
Note that iHTT has “strong” update and that the world is modified to contain the new type (semantically,
the per R) upon update. Thus our notion and use of worlds is different from the use of worlds in models of
“weak” ML-like reference types, e.g. [5]; in particular, note that we do not index every type by a world, but
only use worlds to interpret the type of heaps and the operations thereon (see also the next subsection for
further discussion).
Theorem 2. The heap axioms in Appendix A.11 hold in the model.
Hoare Types. We are now ready to sketch the interpretation of Hoare-types. The idea is to interpret Hoare-
types as PERs on elements of T(V) that satisfy the given specification, but with a trivial equality. Specifically,
given a partial correctness specification, we define an admissible subset X⊆T(V) of computations satisfying
the specification, and interpret the associated Hoare type as the PER,
R=inT(∆(X)) = {(inT(f), inT(g)) |f∈X∧g∈X}
The trivial equality ensures that Ris trivially monotone and admissibility on the sub-domain of computations
follows from admissibility of X.
Assume a semantic pre-condition P∈Ht→2, a small semantic type R∈CMPer(V), and a semantic
post-condition Q∈[R]×Ht×Ht→2. As explained in the previous section, the pre- and post-condition is
expressed in terms of a typed heaps, Ht, instead of the underlying domain theoretic heaps. The subset of
computations satisfying the specification is thus defined using the usual “forall initial worlds, there exists
a terminal world”-formulation, known from models of ML-like references [5]. However, as iHTT supports
10
strong update and deallocation, the terminal world is not required to be an extension of the initial world.
Specifically, define hoare(R, P, Q) as the following subset of T(V):
hoare(R, P, Q)def
={f∈T(V)| ∀w∈W.∀h∈ | ∼w|. P (w, [h]w) = > ⇒
(f(h) = ⊥ ∨ ∃v0, h0. f (h)=(v0, h0)∧v0∈ |R| ∧
h0∈ {h0∈H(V)| ∃w0∈W. Q([v0]R)(w, [h]w)(w0,[h0]w0) = >})}
where (−) denotes the chain-completion operator on T(V). The explicit chain-completion of the post-
condition is required because of the existential quantification over worlds. Furthermore, since the post-
condition is indexed by the return value [v0]R, monotonicity is used to collapse a chain of domain-theoretic
values v1≤v2≤ · · · into a single type-theoretic value [v1]R, when proving that hoare(R, P, Q) is an admis-
sible subset of T(V).
A Hoare-type in the is now interpreted as follows:
[[Γ`st τ(P,Q)]]Type
i=inT(∆(hoare([[Γ`τ]]i,[[Γ`P]]i,[[Γ`Q]]i)))
The previous model of iHTT [21] featured a non-trivial computational equality. However, the previous
model lacked the worlds introduced in the previous section and with it a useful notion of heap equivalence.
As a result, the computational equality in the previous model was very strict, rendering the structural rule
for existentials in Hoare logic unsound. The new model validates all the usual structural rules of Hoare-logic.
Computations. iHTT contains five basic computations for returning a value, reading from the heap, writing
to the heap, allocating a location and deallocation a location. These basic computations are given by the
following terms, where {P}τ{Q}is shorthand for st τ(P,Q)T:
ret :Πτ :set. Πv :τ. {λ .>}τ{λr, hi, ht. hi=ht∧r=v}
read :Π τ :set. Πl :nat.{λh. dom h l =true}τ{λr, hi, ht. hi=ht∧peek htl=inr(τ, r)}
write :Πτ :set. Πl :nat. Π v :τ. {λh. dom h n =true}τ{λr, hi, ht. ht=hi[l7→τv]}
alloc :Πτ :set. Πv :τ. {λ .>}nat{λr, hi, ht. ht=hi[r7→τv]∧r6= 0 ∧dom hir=false}
dealloc :Πl :nat.{λh. dom h l =true}1{λ , hi, ht. ht=hi\l}
In addition, iHTT contains a term, bind, for combining a two computations in a sequential composition:
bind :Πτ, σ :set. Π s1:spec τ. Π s2:τ→spec σ. st τ s1→(Πv :τ. stσ(s2v)) →
{λhi. π1(s1)hi∧ ∀xht. π2(s1)x hiht⇒π1(s2x)hm}
σ
{λr, hi, ht.∃x, h. π2(s1)x hiht∧π2(s2)r h ht}
and a term, do, which corresponds to the structural rule of consequence in Hoare-logic:
do :Πτ :set. Πs1, s2:spec τ. conseq s1s2→st τ s1→st τ s2
where conseq is specification implication:
conseq :Πτ :set. spec τ →spec τ →prop
conseq =λτ. λs1. λs2.(∀i. π1(s2)i⇒π1(s1)i)∧(∀y , i, m. π1(s2)i⇒π2(s1)y i m ⇒π2(s2)y i m)
Lastly, for each type AiHTT contains a fixed point operator, fixA, for computations with an argument
of type A:
fixA:Πτ :set. Πs :spec τ. ((Πx :A. st τ s)→(Πx :A. st τ s)) →Πx :A. st τ s
11
Below we give the interpretation of the basic computations, by giving the underlying realizers. As a
notational convenience, we write λx. f as shorthand for in→(λx. f ). Let I= [[Γ]], then,
[[Γ`ret]] = λei. λ . λev. inT(λh. (ev, h))
[[Γ`read]] = λei. λ . λn. inT(λh. if h(n)6=⊥then (h(n), h)else err)
[[Γ`write]] = λei. λ . λn. λev. inT(λh. if h(n)6=⊥then (in1(∗), h[n7→ ev]) else err)
[[Γ`alloc]] = λei. λ . λev. inT(λh. let l=leastfree(h)in (l, h[l7→ ev]))
[[Γ`dealloc]] = λei. λn. λh. inT(λh. if h(n) = ⊥then err else (∗, h[n7→ ⊥]))
[[Γ`bind]] = λei. λ . λ . λ . λ . λm. λn. inT(bind(m, n))
[[Γ`do]] = λei. λ . λ . λ . λ . λm. m
[[Γ`fixA]] = λei. λ . λ . λm. in→(λv. inT((tn(u(m))n)(v)))
where
bind(m, n)def
=λh. case πT(m)(h)of
(v, h0)⇒πT(n·v)(h0)
err ⇒err
⊥ ⇒ ⊥
leastfree def
=λh. min{n∈N+|h(n) = ⊥}
u(x:V)(y:V→T(V))(z:V)def
=(aif x·in→(λz. inT(y(z))) ·z=inT(a)
⊥otherwise
πT(x:V)def
=(aif x↓and x=inT(a)
⊥T(V)otherwise
Theorem 3. The interpretation of computations is sound, i.e., well-typed computations satisfy their speci-
fications.
Proof. We prove three representative cases: bind,write, and fixA.
In the case of bind, the intermediate state in the execution of a sequential composition satisfies the chain-
completion of the post-condition of the first computation. To show that bind is sound, one uses that the
underlying computations are continuous to reason about intermediate states added via the chain-completion.
Soundness follows from Lemma 9 in Appendix C.3.
The soundness of fixAfollows from Lemma 6 in Appendix C.1, which generalizes the the least fixed point
operator on Per(V) to computations with a single argument of a large type.
Lastly, the soundness of write follows from Lemma 10 in Appendix C.3.
W-types. The presentation of (co)-inductive types in CIC is based on an intricate syntactic scheme of
inductive families. So far, this presentation of (co)-inductive types has eluded a categorical semantics. Martin-
L¨of type theory features an alternative presentation, based on W-types (a type-theoretic formalization of
well-founded trees), which is strong enough to represent a wide range of predicative inductive types in
extensional models (such as ours) [11, 3]. Since W-types in addition have a simple categorical semantics, we
have chosen to show that iHTT models inductive types by showing that it models W-types. Specifically, we
show that it models W-types at both the type and set universe, and that the W-types at the set universe
supports elimination over large types.
Semantically, in the setting of locally cartesian closed categories, W-types are modelled as initial algebras
of polynomial functors [16]. In the setting of split closed comprehension categories we define:
Definition 9. A split closed comprehension category P:E→B→has split W-types, if for every I∈B,
X∈EIand Y∈E{X}the endo-functor,
PI,X,Y =ΣX◦ΠY◦(πX◦πY)∗:EI→EI
12
has a chosen initial algebra αI,X,Y :PI,X ,Y (WI,X,Y )→WI,X,Y ∈EI, which is preserved on-the-nose by
re-indexing functors.
As is well-known, Asm(V) is locally cartesian closed and all polynomial functors on Asm(V) have initial
algebras. This yields initial algebras for functors PX,Y : UFam(Asm(V))1→UFam(Asm(V))1for X∈E1
and Y∈E{X}. This lifts to an arbitrary context I∈Asm(V) by a point-wise construction, which yields split
W-types, as re-indexing in UFam(Asm(V)) is by composition:
Lemma 4. The split ccomp P: UFam(Asm(V)) →Asm(V)→has split W-types.
Proof. W-types in Asm(V) are constructed from the W-types in Sets, by restricting to “heriditarily realized”
trees (see Appendix C.4 for the full construction): In the case where I= 1, assume X∈Asm(V) and
Y∈UFam(Asm(V))Xand let TX,Y denote a solution to the set-isomorphism,
supX,Y :a
x∈|X|
|Yx| → TX,Y ∼
=TX,Y
and let EX,Y :TX,Y → P(V) denote the unique function satisfying,
EX,Y (sup(x, f )) = {in×(ex, ef)|ex∈EX(x)∧ ∀y∈ |Yx|.∀ey∈EYx(y). ef·ey∈EX,Y (f(y))}
Then WX,Y
def
= ({w∈TX,Y |EX,Y (w)6=∅}, EX,Y )∈Asm(V) and sup :PX,Y (WX,Y )→WX,Y is an
initial PX,Y algebra, realized by the identity (Lemma 14 in Appendix C.4).
In the case of an arbitrary context I∈Asm(V), assume X∈UFam(Asm(V))Iand Y∈UFam(Asm(V)){X},
then we define WI,X,Y and αI ,X,Y by a point-wise lifting:
WI,X,Y =WXi,λy . Y(i,y)i∈|I|
and
αI,X,Y =idI,supXi,λy . Y(i,y)i∈|I|
αI,X,Y is uniformly realized, since each of the underlying sup functions is realized by the identitiy.
To show that these are further preserved on the nose by reindexing, assume J∈Asm(V) and u:J→
I∈Asm(V). Then,
u∗(αI,X,Y ) = idJ,αXu(j),λy . Y(u(j),y)j∈|J|=αJ,u∗(X),{u(X)}∗(Y)
This models W-types in the type-universe. In addition, iHTT features small W-types over small types,
with elimination over large types. The idea is to model these small W-types by forming the W-type in
UFam(Asm(V)) and mapping it back into UFam(CMPer(V)) using the reflection. The reflection works by
collapsing an assembly into a PER by equating values with overlapping sets of realizers and into a complete
monotone PER by taking the monotone completion of said PER. In the case where Xand Yare in the
image of Iel, the construction of WI ,X,Y sketched above yields a modest set (i.e., has no overlapping sets of
realizers) and furthermore, the induced PER is already monotone and complete. This induces the following
isomorphism, which allows us to model small W-types with elimination over large types:
Lemma 5. For every I∈B,X∈UFam(CMPer(V))I, and Y∈UFam(CMPer(V)){X}, there is a cho-
sen isomorphism, WI,Iel (X),Iel(Y)∼
=Iel(Rel (WI,Iel(X),Iel (Y))), which is preserved on-the-nose by reindexing
functors.
13
Proof (Sketch). There is a well-known equivalence between PERs and modest sets. This extends to complete
monotone PERs as follows: Define CMod(V) as the full-subcategory of Mod(V), consiting of modest sets
(X, EX), satisfying the following two conditions,
∀x, y ∈X. (∃a, b. a ∈EX(x)∧b∈EX(y)∧a≤b)⇒x=y
∀x∈X. ∀c:N→mV.(∀n∈N. c(n)∈EX(x)) ⇒ tnc(n)∈EX(x)
then Iel and Rel forms an equivalence between CMPer(V) and CMod(V) and furthermore for every X∈
CMod(V) there is a chosen isomorphism X∼
=Iel(Rel (X)). This lifts to a fibred equivalence between
UFam(CMPer(V)) and UFam(CMod(V)), with chosen isomorphisms, X∼
=Iel(Rel (X)) for X∈UFam(CMod(V))I,
preserved on the nose by re-indexing functors.
The result thus follows by showing that WX,Y ∈CMPer(V) for X∈Asm(V) and Y∈UFam(Asm(V))X,
which follows by well-founded induction on TX,Y (Lemma 15 in Appendix C.4).
4 Implementation
One of the advantages of weakening Hoare types instead of the underlying dependent type theory – as in
the case of [21] – is that it can simplify implementation of the resulting type theory. In our case, presenting
iHTT as an extension of CIC allows for easy implementation as an axiomatic extension of the Coq proof
assistant.
Our implementation is based on the Coq infrastructure developed by Nanevski et. al. [19], to support
efficient reasoning about stateful computations in Coq. This infrastructure defines a new Hoare type on top
of the built-in Hoare type with support for more efficient reasoning, based on ideas from separation logic.
Specifically, as illustrated in Section 2, this new Hoare type features (1) small footprint specifications and
(2) efficient reasoning about heaps. Efficient reasoning about heaps is achieved by reasoning using the partial
commutative monoid (1 + heap,•) instead of the total non-commutative monoid (heap,•), where heap is
the actual type of heaps and •is heap union [19].
Compared to Nanevski et. al.’s implementation of predicative Hoare Type Theory (pHTT), this new
implementation features higher-order store and impredicative quantification, but the predicative hierarchy
lacks Hoare-types. The new implementation is almost source compatible with verifications in pHTT that do
not exploit the predicative hierarchy.
Compared to the Ynot implementation of pHTT [18], in addition to impredicativity the main difference
lies in the treatment of ghost variables. Post conditions in Ynot are unary and thus employ ghost-variables
to relate the pre- and post-condition. Ynot expresses ghost variables of a specification as computationally ir-
relevant arguments to the computation. As Coq lacks support for computationally irrelevant variables, Ynot
extends Coq with an injectivity axiom, which gives an embedding of set into the computationally irrelevant
prop-universe. This axiom is inconsistent with a proof irrelevant prop-universe and thus in particular un-
sound in our model. Additionally, this limits Ynot’s ghost variables to small types, whereas iHTT supports
ghost variables of large types.
5 Related work
Our approach to partiality is based on the idea of partial types, as introduced by Constable and Smith [9].
We have already discussed its relation to the work on admissibility by Crary [10] in the introduction. Below
we first discuss related work on partiality, followed by related work on partial correctness reasoning.
Bove and Capretta [7] proposed representing a partial function f:A * B as a total function f:Πa :
A. P (a)→B, defined by recursion over an inductively defined predicative P:A→prop, expressing the
domain of the partial function. This allows the definition of partial computations by general recursion, but
does not model non-termination, as fcan only be applied to arguments on which it terminates. Capretta
[8] proposed an alternative co-inductive representation, which does model non-termination, representing a
14
partial function f:A*Bas a total function f:A→Bv, where Bvis co-inductive type of partial elements
of type B. This representation yields a least fixed point operator on finitrary (continuous) endo-functions on
A→Bv. Capretta does not provide a fixed point induction principle, but we believe such a principle would
require admissibility proofs.
Another alternative approach to partiality is to give a model of a language featuring general recursion
inside a dependent type theory. This allows one to model and reason about partial computations inside the
type theory, but does not extend the type theory itself with partial computations. This approach has for
instance been studied and implemented by Reus et. al. [22], who formalized Synthetic Domain Theory in the
Lego proof checker. The resulting type theory can be seen as a very expressive version of LCF. The synthetic
approach alleviates the need for continuity proofs, but still requires admissibility proofs when reasoning by
fixed point induction.
Hoare-style specification logics is another line of closely related work. With a collapsed computational
equality, reasoning about a partial computation in iHTT is limited to Hoare-style partial correctness rea-
soning, as in a specification logic. With the modularity features provided by the underlying dependent type
theory (i.e., Σtypes), iHTT can thus be seen as a modular specification logic for a higher-order programming
language.
6 Conclusion
We have presented a new approach for extending dependent type theory with potentially non-terminating
computations, without weakening the underlying dependent type theory or adding restrictions on the use of
fixed points in defining partial computations. We have shown that it scales to very expressive dependent type
theories and effects beyond partiality, by extending the Calculus of Inductive Constructions with stateful and
potentially non-terminating computations. We have further demonstrated that this approach is practical, by
implementing this extension of CIC as an axiomatic extension of the Coq proof assistant.
To justify the soundness of our extension of CIC, we have presented a realizability model of the theory.
For lack of space, we have limited the presentation to a single predicative universe, but the model can be
extended to the whole predicative hierarchy type ⊆type1⊆. . . of CIC.
References
1. The Coq Proof Assistant. http://coq.inria.fr/.
2. Coq Reference Manual, Version 8.3.
3. M. Abbott, T. Altenkirch, and N. Ghani. Representing nested inductive types using W-types. In Proc. of ICALP,
2004.
4. R. M. Amadio. Recursion over Realizability Structures. Information and Computation, 91:55–85, 1991.
5. L. Birkedal, K. Støvring, and J. Thamsborg. Realisability semantics of parametric polymorphism, general refer-
ences and recursive types. Math. Struct. Comp. Sci., 20(4):655–703, 2010.
6. D. Bjørner and C. B. Jones, editors. The Vienna Development Method: The Meta-Language, volume 61 of Lecture
Notes in Computer Science. Springer, 1978.
7. A. Bove. Simple General Recursion in Type Theory. Nordic Journal of Computing, 8, 2000.
8. V. Capretta. General Recursion via Coinductive Types. Logical Methods in Computer Science, 1(2):1–28, 2005.
9. R. L. Constable and S. F. Smith. Partial Objects in Constructive Type Theory. In Proceedings of Second IEEE
Symposium on Logic in Computer Science, 1987.
10. K. Crary. Admissibility of Fixpoint Induction over Partial Types. In Automated Deduction - CADE-15, 1998.
11. P. Dybjer. Representing inductively defined sets by wellorderings in Martin-L¨of’s type theory. Theor. Comput.
Sci., 176(1-2):329–335, 1997.
12. G. Gonthier and A. Mahboubi. A Small Scale Reflection Extension for the Coq system. Technical report, INRIA,
2007.
13. C. A. R. Hoare. Proof of correctness of data representations. Acta Informatica, 1:271–281, 1972.
14. B. Jacobs. Categorical Logic and Type Theory. Elsevier Science, 1999.
15. B. Meyer. Object-oriented software construction. Prentice Hall, 1997.
15
16. I. Moerdijk and E. Palmgren. Wellfounded trees in categories. Annals of Pure and Applied Logic, 104(1–3):189–
218, 2000.
17. A. Nanevski, G. Morrisett, and L. Birkedal. Hoare Type Theory, Polymorphism and Separation. Journal of
Functional Programming, 18(5–6):865–911, 2008.
18. A. Nanevski, G. Morrisett, A. Shinnar, P. Govereau, and L. Birkedal. Ynot: Dependent Types for Imperative
Programs. In Proceedings of ICFP 2008, pages 229–240, 2008.
19. A. Nanevski, V. Vafeiadis, and J. Berdine. Structuring the Verification of Heap-Manipulating Programs. In
Proceedings of POPL 2010, 2010.
20. P. O’Hearn, J. Reynolds, and H. Yang. Local reasoning about programs that alter data structures. In CSL’01,
pages 1–19, 2001.
21. R. Petersen, L. Birkedal, A. Nanevski, and G. Morrisett. A Realizability Model of Impredicative Hoare Type
Theory. In Proceedings of ESOP 2008, 2008.
22. B. Reus. Synthetic Domain Theory in Type Theory: Another Logic of Computable Functions. In Proceedings of
TPHOL 1996, 1996.
23. T. Streicher. Semantics of Type Theory: Correctness, Completeness, and Independence Results. Birkhaeuser
Verlag, 1991.
16
A Impredicative Hoare Type Theory
A.1 Syntax
Γ::= ε|Γ, x :A
M,N, A, B, τ , σ, P,Q ::= x|set |prop |el(τ)|prf(P)
|ΠTx:A.B |AbsT
x:A.B (M) |AppT
x:A.B (M,N)
|ΠSx:A.τ |AbsS
x:A.τ (M) |AppS
x:A.τ (M,N)
| ∀x:A.P|AbsP
x:A.P(M) |AppP
x:A.P(M,N) | •P
|ΣTx:A.B |P airT
x:A.B (M,N) |π1
x:A.B (M) |π2
x:A.B (M)
|ΣSx:A.τ |P airS
x:A.τ (M,N) |unpack Mas (x, y)in N
|A+B|inlA,B (M) |inrA,B (M) |caseA,B Min inl(x)⇒N1|inr(x)⇒N2
| WTx:A.B |supT
x:A.B (M) |foldT
x:A.B (M)
| WSx:τ.σ |supS
x:τ.σ (M) |foldS
x:τ.σ (M)
|1|()
|bool |true |false |if Mthen N1else N2
|nat |zero |succ M|M == N |M<N
|heap |empty |upd |free |max |dom |peek
|st |ret |read |write |alloc |dealloc |bind |do |fixA
A.2 Judgments
ΓCtx Γis a well-formed context
Γ`A:type Ais a type in context Γ
Γ`M : AM is a term of type Ain context Γ
Γ`A=B:type Aand Bare convertible in context Γ
Γ`M = N : AM and N are convertible in context Γ
We reserve the meta-variables Aand Bfor types, the meta-variables τand σfor small types (terms of
type set), and the meta-variables P and Q for propositions (terms of type prop).
A.3 Contexts
εCtx
x6∈ Γ Γ `A:type
Γ, x :ACtx
A.4 Structural Rules
Γ`A:type
Γ, x :A`x:AπΓ`M : A Γ, x :A, ∆ ` J
Γ, ∆[M/x]` J [M/x]sub Γ`A:type Γ` J
Γ, x :A` J weak
Γ, x :A, y :A, ∆ ` J
Γ, x :A, ∆[x/y]` J [x/y]cont Γ`B:type Γ, x :A, y :B, ∆ ` J
Γ, y :B, x :A, ∆ ` J ex
Γ`M : A Γ `A=B:type
Γ`M : Bconv
17
A.5 Types
ε`set :type
type ε`prop :type
prop
Γ`τ:set
Γ`el(τ) : type
ElT Γ, x :A`B:type
Γ`ΠTx:A. B :type
ΠT Γ , x :A`B:type
Γ`ΣTx:A. B :type
ΣT
A.6 Small types
Γ`1 : set
1Γ`bool :set
bool Γ`nat :set
nat Γ`P : prop
Γ`prf(P) : set
PrfT
Γ, x :A`τ:set
Γ`ΠSx:A. τ :set
ΠS Γ , x :A`τ:set
Γ`ΣSx:A. τ :set
ΣS
A.7 Propositions
Γ, x :A`P : prop
Γ` ∀x:A.P : prop
Γ, x :A`M : el(prf(P))
Γ`λPx:A.M : el(prf(∀x:A.P))
Γ`M : el(prf(∀x:A.P)) Γ`N : A
Γ`AppP
x:A.P(M,N) : el(prf(P[N/x]))
Using universal quantification, we define the usual logical connectives as follows:
P⇒Qdef
=∀x:el(prf(P)).Q
>def
=∀P : prop.P⇒Q
⊥def
=∀P : prop.P
P∧Qdef
=∀R : prop.(P ⇒Q⇒R) ⇒R
P∨Qdef
=∀R : prop.(P ⇒R) ⇒(Q ⇒R) ⇒R
¬Pdef
= P ⇒ ⊥
∃x:A.Pdef
=∀R : prop.(ΠPx:A. (P ⇒R)) ⇒R
a=Abdef
=∀P : A→prop.P(a)⇒P(b)
A.8 Terms
Γ`() : el(1)
Γ`true :el(bool)Γ`false :el(bool)
Γ`M : bool Γ`N1:A Γ `N2:A
Γ`if Mthen N1else N2:A
18
Γ`zero :el(nat)
Γ`M : el(nat)
Γ`succ M : el(nat)
Γ`M,N : el(nat)
Γ`M == N : el(bool)
Γ`M,N : el(nat)
Γ`M<N : el(bool)
Γ, x :A`M : B
Γ`λTx:A. M : ΠTx:A. B
Γ`M : ΠTx:B. A Γ `N : B
Γ`M N : A[N/x]
Γ, x :A`M : el(τ)
Γ`λSx:A. M : el(ΠSx:A. τ)
Γ`M : el(ΠSx:A. τ)Γ`N : A
Γ`M N : el(τ[N/x])
Γ`M : A Γ `N : B[M/x]
Γ`(M,N)T:ΣTx:A. B
Γ`M : A Γ `N : el(τ[M/x])
Γ`(M,N)S:el(ΣSx:A. τ)
Γ, z :el(ΣSx:A.τ )`σ:set Γ, x :A, y :τ`M : el(σ[(x, y)S/z])
Γ, z :el(ΣSx:A. τ )`unpack zas (x, y)in M : el(σ)
Γ`M : ΣTx:A.B
Γ`fst M : A
Γ`M : ΣTx:A.B
Γ`snd M : B[fst M/x]
Γ`M : A
Γ`inlA,B (M) : A+B
Γ`M : B
Γ`inrA,B (M) : A+B
Γ`M : A+B Γ, x :A`N1:C Γ, x :B`N2:C
Γ`caseA,B Min inl(x)⇒N1|inr(x)⇒N2:C
A.9 W-types
Γ`A:type Γ, x :A`B:type
Γ` WTx:A.B :type
Γ`τ:set Γ, x :el(τ)`σ:set
Γ` WSx:τ.σ :set
Γ`M : ΣTx:A. (B→ Wx:A.B)
Γ`supT
x:A.B (M) : WTx:A.B
Γ`M : ΣTx:el(τ).(el(σ)→el(Wx:τ.σ))
Γ`supS
x:τ.σ (M) : el(WSx:τ.σ)
Γ`A:type Γ, x :A`B:type Γ`X:type
Γ`M : (ΣTx:A. (B→X)) →X
Γ`foldT
x:A.B (M) : WTx:A.B →X
19
Γ`τ:set Γ, x :el(τ)`σ:set Γ`X:type
Γ`M:(ΣTx:el(τ).(el(σ)→X)) →X
Γ`foldS
x:τ.σ (M) : el(WSx:τ.σ)→X
Γ`A:type Γ, x :A`B:type Γ`X:type
Γ`N1: (ΣTx:A. (B→X)) →X Γ `N2: (WTx:A.B)→X
Γ`(∀y: (ΣTx:A. (B→ WTx:A.B)).N2(supT
x:A.B (y)) = N1(π1(y), f oldT
x:A:B(N1)◦π2(y))) ⇒N2=foldT
x:A.B (N1)
Γ`τ:set Γ, x :el(τ)`σ:set Γ`X:type
Γ`N1: (ΣTx:el(τ).(el(σ)→X)) →X Γ `N2: (WSx:τ.σ)→X
Γ`(∀y: (ΣTx:el(τ).(el(σ)→ WSx:τ.σ)).N2(supS
x:τ.σ (y)) = N1(π1(y), foldS
x:τ.σ (N1)◦π2(y))) ⇒N2=foldS
x:τ.σ (N1)
A.10 Heaps
For each term M : Abelow, iHTT contains a typing rule,
Γ`M : A
empty :heap
upd :ΠTτ:set.heap →el(nat)→el(τ)→heap
free :heap →el(nat)→heap
max :heap →el(nat)
dom :heap →el(nat)→bool
peek :heap →el(nat)→el(1) + (ΣTτ:set.el(τ))
A.11 Heap axioms
For each propostion P below, iHTT contains a typing rule,
Γ` •P:el(prf(P))
20
max empty =el(nat)zero
∀τ:set.∀h:heap.∀n:el(nat).∀v:el(τ).
max (h[n7→τv]) =el(nat)if n < max hthen max helse n
∀n:el(nat).peek empty n=inl ()
∀τ:set.∀h:heap.∀n:el(nat).∀v:el(τ).∀m:el(nat).
peek (h[n7→τv]) m=if n== mthen inr P airτ:set.el(τ)(τ , v)else peek h m
∀h:heap.∀n, m :el(nat).
peek (h\n)m=if n== mthen inl () else peek h m
∀n:el(nat).dom empty n=false
∀τ:set.∀h:heap.∀n:el(nat).∀v:el(τ).∀m:el(nat).
dom (h[n7→τv]) m=if n== mthen true else dom h m
∀h:heap.∀nm :el(nat).
dom (h\n)m=if n== mthen false else dom h m
∀h:heap.∀α, β :set.∀n, m :el(nat).∀a:el(α).∀b:el(β).
h[n7→αa][m7→βb] = if n== mthen h[m7→βb]else h[m7→βb][n7→αa]
∀h1, h2:heap.(∀n:el(nat).peek h1n=peek h2n)⇒h1=heap h2
∀P : heap →prop.(∀h:heap.∀α:set.∀n:el(nat).∀v:el(α).Ph⇒max h<n⇒P (h[n7→αv])) ⇒
Pempty ⇒ ∀h:heap.Ph
where h[n7→τv] is shorthand for upd τ h n v and h\nis shorthand for free h n.
A.12 Computations
For each term M : τbelow, iHTT contains a typing rule,
Γ`M : el(τ)
st :ΠSτ:set. spec τ →set
ret :ΠSτ:set. ΠSv:el(τ).{λ .>}τ{λr, hi, ht. hi=ht∧r=v}
read :ΠSτ:set. Π Sl:el(nat).{λh. dom h l =true}τ{λr, hi, ht. hi=ht∧peek htl=inr(τ, r)}
write :ΠSτ:set. ΠSl:el(nat). ΠSv:el(τ).{λh. dom h n =true}τ{λr, hi, ht. ht=hi[l7→τv]}
alloc :ΠSτ:set. ΠSv:el(τ).{λ .>}nat{λr, hi, ht. ht=hi[r7→τv]∧r6= 0 ∧dom hir=false}
dealloc :ΠSl:el(nat).{λh. dom h l =true}1{λ , hi, ht. ht=hi\l}
21
do :ΠSτ:set. ΠSs1, s2:spec τ. ΠSel(prf(conseq s1, s2)).el(st τ s1)→el(st τ s2)
bind :ΠSτ, σ :set. ΠSs1:spec τ. ΠSs2:el(τ)→spec σ. el(st τ s1)→(ΠSv:τ. stσ(s2v)) →
{λhi. π1(s1)hi∧ ∀xht. π2(s1)x hiht⇒π1(s2x)hm}
σ
{λr, hi, ht.∃x, h. π2(s1)x hiht∧π2(s2)r h ht}
fixA:ΠSτ:set. ΠSs:spec τ. ((ΠSx:A. st τ s)→(ΠSx:A. st τ s)) →ΠSx:A. st τ s
where
spec =λτ :set.(heap →prop)×(τ→heap →heap →prop)
and {P}τ{Q}is shorthand for st τ(P,Q)T.
A.13 Term definitional equality Γ`M = N : A
Γ`M:A
Γ`M=M:A
Γ`M=N:A
Γ`N=M:A
Γ`M1=M2:A Γ `M2=M3:A
Γ`M1=M3:A
Γ, x :A`M : B Γ `N : A U ∈ {S, T, P}
Γ`(λUx:A. M) N = M[N/x] : B[M/x]
Γ`M : A Γ `N : B[M/x]
Γ`fst (M,N)T=M:A
Γ`M : A Γ `N : B[M/x]
Γ`snd (M,N)T=N:B[M/x]
Γ`M : A Γ `N : el(τ[M/x]) Γ, x :A, y :τ`K : el(σ)
Γ`unpack (M,N)Sas (x, y)in K=K[M/x, N/y] : el(σ)
Γ`M : A Γ, x :A`N1:C Γ, x :B`N2:C
Γ`case inl(M) in inl(x)⇒N1|inr(x)⇒N2= N1[M/X] : C
Γ`M : B Γ, x :A`N1:C Γ, x :B`N2:C
Γ`case inr(M) in inl(x)⇒N1|inr(x)⇒N2= N2[M/X] : C
Γ`M : ΣTx:A. (B→ WTx:A.B)Γ`N:(ΣTx:A. (B→X)) →X
Γ`foldT
x:A.B (N)(supT
x:A.B (M)) = N(π1(M), f oldT
x:A.B (N) ◦π2(M)) : X
Γ`M : ΣTx:el(τ).(el(σ)→el(WSa:τ.σ)) Γ`N:(ΣTx:el(τ).(el(σ)→X)) →X
Γ`foldS
x:τ.σ (N)(supS
x:τ.σ (M)) = N(π1(M), foldS
x:τ.σ (N) ◦π2(M)) : X
22
A.14 Type definitional equality Γ`A=B:type
Γ`A:type
Γ`A=A:type
Γ`A=B:type
Γ`B=A:type
Γ`A=B:type Γ`B=C:type
Γ`A=C:type
Γ`A=A0:type Γ, x :A`B=B0:type
Γ`ΠTx:A.B =ΠTx:A0.B0:type
Γ`A=A0:type Γ, x :A`B=B0:type
Γ`ΣTx:A.B =ΣTx:A0.B0:type
Γ`A=A0:type Γ, x :A`B=B0:type
Γ` WTx:A.B =WTx:A0.B0
Γ`A=A0:type Γ`B=B0:type
Γ`A+B=A0+B0:type
Γ`τ=σ:set
Γ`el(τ) = el(σ) : type
23
B Interpretation
This appendix contains the concrete interpretation of the underlying dependent type theory. The interpre-
tation of terms of small types is defined in terms of a realizer, which uniquely determines a morphism in the
appropriate fibre category.
[[−]]Ctx : Ctx * obj(Asm(V))
[[−]]Type : Ctx ×Term * obj(UFam(Asm(V)))
[[−]]Term : Ctx ×Term * hom(UFam(Asm(V)))
B.1 Contexts Γ
[[ε]]Ctx = 1
[[Γ, x :A]]Ctx = (Σi∈IXi,(i, x)7→ {(a, b)|a∈E(i)∧b∈EXi(x)})
for (I, E) = [[Γ]]Ctx and (Xi, EXi) = [[Γ`A]]Type.
B.2 Types Γ`A:type
[[Γ`set]]Type
i=∇(CMPer(V))
[[Γ`prop]]Type
i=∇(2)
[[Γ`el(τ)]]Type
i=Iel([[Γ`τ]]Term
i)
[[Γ`ΠTx:A.B]]Type
i= (f∈Y
i∈Xi
Y(i,x)|EQi(f)6=∅), EQi!
[[Γ`ΣTx:A.B]]Type
i= a
x∈Xi
Y(i,x), E`i!
for (I, E) = [[Γ]]Ctx, (Xi, EXi) = [[Γ`A]]Type , and (Y(i,x), EY(i,x)) = [[Γ, x :A`B]]Type, where
EQi(f) = {in→(α)| ∀x∈Xi.∀ex∈EXi(x). α ·ex∈EY(i,x)(f(x))}
E`i(x, y) = {in×(α, β )|α∈EXi(x)∧β∈EY(i,x)(y)}
B.3 Small types Γ`τ:set
[[Γ`prf(P)]]Term
i=(V×Vif [[Γ`P]]Term
i=>
∅if [[Γ`P]]Term
i=⊥
[[Γ`ΠSx:A.τ]]Term
i=(a, b)| ∀x∈Xi.∀e1, e2∈EXi(x).(a·e1, b ·e2)∈R(i,x)
[[Γ`ΣSx:A.τ]]Term
i=((a, b)| ∃x, y ∈a
x∈Xi
[R(i,x)]. a ∈E`i(x)∧b∈E`i(y)∧x∼iy)
for (I, E) = [[Γ]]Ctx, (Xi, EXi) = [[Γ`A]]Type , and R(i,x)= [[Γ, x :A`τ]]Term, where
E`i(x, y) = {in×(α, β )|α∈EXi(x)∧β∈y}
x ^iyiff E`i(x)∩E`i(y)6=∅
∼iis the transitive closure of ^i, and (−) denotes monotone completion.
24
B.4 Terms Γ`M:A
[[Γ, x :A`x]]Term
(i,x)=x
[[Γ`AbsT
x:A.B (M)]]Term
i=x∈Xi7→ [[Γ, x :A`M]]Term
(i,x)
[[Γ`AppT
x:A.B (M,N)]]Term
i= [[Γ`M]]Term
i([[Γ`N]]Term
i)
[[Γ`P airT
x:A.B (M,N)]]Term
i= ([[Γ`M]]Term
i,[[Γ, x :A`N]]Term
(i,[[Γ`M]]Term
i))
[[Γ`π1
x:A.B (M)]]Term
i=π1([[Γ`M]]Term
i)
[[Γ`π2
x:A.B (M)]]Term
i=π2([[Γ`M]]Term
i)
[[Γ`AbsS
x:A.τ (M)]]Term =in→(λe.in→(λx. m(in×(e, x))))
[[Γ`AppS
x:A.τ (M,N)]]Term =in→
λe.
case m(e)of
in→(f)⇒f(n(e))
otherwise ⇒ ⊥V
[[Γ`P airS
x:A.τ (M,N)]]Term =in→(λe. in×(m(e), n(in×(e, m(e)))))
[[Γ`unpack Mas (x, y)in N]]Term =in→
λe.
case m(e)of
in×(a, b)⇒n(in×(in×(e, a), b))
otherwise ⇒ ⊥V
where m= [[Γ`M]]Term and n= [[Γ`N]]Term .
B.5 Base types and terms
[[Γ`1]]Term
i={(in1(∗), in1(∗))}
[[Γ`()]]Term =in→(λe. in1(∗))
[[Γ`bool]]Term
i={(inN(1), inN(1)),(inN(2), inN(2))}
[[Γ`nat]]Term
i={(inN(n), inN(n)) |n∈N}
[[Γ`if Mthen N1else N2]]Term
i=([[Γ`N1]]Term
iif [[Γ`M]]Term
i= [inN(1)]
[[Γ`N2]]Term
iif [[Γ`M]]Term
i= [inN(2)]
[[Γ`true]]Term =in→(λe. inN(1))
[[Γ`false]]Term =in→(λe. inN(2))
[[Γ`zero]]Term =in→(λe. inN(0))
[[Γ`succ M]]Term =in→
λe.
case m(e)of
inN(n)⇒inN(n+ 1)
otherwise ⇒ ⊥V
25
C Proofs
C.1 Recursion
Definition 10. Given X∈Asm(V)and R∈UFam(CMPer(V))X, let ΠX(R)denote the complete monotone
PER,
ΠX(R) = {(α, β)| ∀x∈ |X|.∀ex∈EX(x).(α·ex, β ·ex)∈Rx}
Definition 11. Let u:V→(V→T(V)) →(V→T(V)) denote
u(x:V)(y:V→T(V))(z:V)def
=(aif x·in→(λz. inT(y(z))) ·z=inT(a)
⊥otherwise
and let lfp denote in→(λe. tnin→(λz. inT((u(e))n)(⊥V→T(V))(z))).
Lemma 6. Let X∈Asm(V)and R∈UFam(AdmPer(T(V))), then
lfp :|(ΠX(inT(R)) →ΠX(inT(R))) →ΠX(inT(R))|
Proof. Assume α1(ΠX(inT(R)) →ΠX(inT(R))) α2, then we need to show that
lfp ·α1=tnin→(λz. inT(((u(α1))n)(⊥V→T(V))(z))) ΠX(inT(R)) tnin→(λz. inT(((u(α2))n)(⊥V→T(V))(z))) = lfp ·α2
which follows by chain-completeness from,
∀n∈N. in→(λz. inT((u(α1))n(⊥V→H(V))(z))) ΠX(inT(R)) in→(λz. inT((u(α2))n(⊥V→H(V))(z)))
which we prove by induction on n. The base case follows from the admissibility of R. For the inductive case,
assume
in→(λz. inT((u(α1))n(⊥V→H(V))(z))) ΠX(inT(R)) in→(λz. inT((u(α2))n(⊥V→H(V))(z)))
Assume x∈ |X|and e1, e2∈EX(x), then it follows by the induction hypothesis and definition of ΠX(inT(R))
that,
(α1·in→(λz. inT((u(α1))n(⊥V→H(V))(z))) ·e1, α2·in→(λz. inT((u(α2))n(⊥V→H(V))(z))) ·e2)∈inT(R)
and thus,
(in→(λz. inT((u(α1))n(⊥)(z))) ·e1, in→(λz. inT((u(α2))n(⊥)(z))) ·e2)∈inT(R)
as
in→(λz. int((u(αi))n+1 (⊥(z)))) ·ei=inT((u(αi))((u(αi))n(⊥V→H(V)))(ei))
=αi·in→(λz. inT((u(αi))n(⊥)(z))) ·ei
C.2 Underlying DTT
Lemma 7. Let S, T ∈Per(V). Then
S→T⊆S→T=S→T
where (−)denotes monotone completion operator:
R=\{S∈CMPer(V)|R⊆S}, R ∈Per(V)
26
Proof. The S→T⊆S→Tand S→T⊆S→Tinclusions are obvious.
To show S→T⊆S→T, assume (α1, α2)∈S→T.
Define,
Ui
def
={(x, y)|(αi·x, αi·y)∈T}
Uiis clearly a PER and by assumption S⊆Ui. Furthermore, Uiis monotone and complete by continuity of
αiand monotone and completeness of T. Hence, S⊆Ui.
Define
Udef
={(x, y)∈S|(α1·x, α2·y)∈T}
Since S⊆Ui,Uis indeed a PER and by assumption S⊆U. Again, it follows that Uis monotone and
complete from the continuity of αi, monotone and completeness of Tand that Ui⊆T. Hence, U=Sand
thus (α1, α2)∈S→T.
Lemma 8. Let S∈CMPer(V)and T:V/S →CMPer(V), then
ΣX(Y) = {(in×(a1, b1), in×(a2, b2)) |a1S a2∧b1T([a1]S)b2} ∈ CMPer(V)
Proof. ΣS(T) is clearly a PER.
To show that ΣS(T) is monotone, assume (a1, b1),(a2, b2)∈ |ΣS(T)|,a1≤a2, and b1≤b2. Then a1S a2
and b1T([a1]S)b2and hence ((a1, b1),(a2, b2)) ∈ΣS(T).
To show that ΣS(T) is complete, assume a1≤a2≤ · · · ,b1≤b2≤ · · · , and (ai, bi)∈ |ΣS(T)|. Then by
completeness, Fnan∈ |S|. Hence, by monotonicity, aiSFnanfor every iand thus bi∈ |T([Fnan]S)|for
every i, from which it follows that Fnbn∈ |T([Fnan])|by completeness.
C.3 Computations
Definition 12. Let R∈CMPer(V), then
spec(R)def
= (Ht→2) ×([R]→Ht→Ht→2)
Lemma 9. Let R, S ∈CMPer(V),(p1, q1)∈spec(R),s2∈[R]→spec(S), and
m∈ |∆(inT(hoare(R, p1, q1)))|
n∈ |ΠI(R)(x∈[R]7→ inT(∆(hoare(S, π1(s2(x)), π2(s2(x))))))|
then bind(m, n)∈hoare(S, p, q), where
p(hi∈Ht) = p1(hi)∧ ∀x∈[R].∀ht∈Ht. q1(x)(hi)(ht)⇒π1(s2(x))(ht)
q(x∈[S])(hi∈Ht)(ht∈Ht) = ∃y∈[R].∃h∈Ht. q1(y)(hi)(h)∧π2(s2(y))(x)(h)(ht)
Proof. Let w∈Wand h∈|∼w|such that p([h]w).
By assumption, there exists an α∈V, such that m=inT(α) and α∈hoare(R, p1, p2). Since p1([h]w) we
thus have that that α(h)6=err. If α(h) = ⊥then bind(m, n)(h) = ⊥ ∈ hoare(S, p, q), trivially. Hence, the
only case we have to consider is if α(h)=(v, h0). In this case v∈ |R|and h0∈MQ, where
MQ
def
={h0∈H(V)| ∃w0∈W. q1([v]R)([h]w)([h0]w0)}
27
Since v∈ |R|there exists a βsuch n·v=inT(β) and β∈hoare(S, π1(s2([v]R)), π2(s2([v]R))). Define N
as the subset of intermediate states for which the terminal state of βsatisfies the post-condition:
Ndef
={h0∈H(V)|β(h0) = ⊥∨∃v0, h00. β(h0)=(v0, h00)∧v0∈ |S| ∧ h00 ∈MB(v0)}
MB(v0)def
={h00 ∈H(V)| ∃w00 ∈W. π2(s2([v]R))([v0]S)([h]w)([h00]w00 )}}
It is thus sufficient to show that MQ⊆N. To that end, we show that Nis chain-complete and that MQ⊆N.
Chain-completeness of Nfollows from the continuity of βand monotonicity of S.
To show that MQ⊆N, assume w0∈Wand h0∈ | ∼w0|such that q1([v]R)([h]w)([h0]w0). Since p([h]w),
it follows that π1(s2([v]T))([h0]w0) and hence β(h0) = ⊥or β(h0) = (v0, h00) such that v0∈ |S|and h00 ∈MS,
where
MS={h00 ∈Hu| ∃w00 ∈W. π2(s2([v]R))([v0]S)([h0]w0)([h00]w00 )}
In the first case we trivially have that h0∈N. For the second case we have to prove that MS⊆MB([v0]S),
which follows from MS⊆MB([v0]S).
Lemma 10. Let R∈CMPer(V),[n]∈[inN({(n, n)|n∈N})],en∈[n],v∈[R], and ev∈v, then
write(en, ev)=(λh. if h(n)6=⊥then (in1(∗), h[en7→ ev]) else err)∈hoare({(in1(∗), in1(∗))}, p, q(v))
where
p((w, )∈Ht)def
=w(n)↓
q(x∈[R])((w, [h]w)∈Ht)(ht∈Ht)def
=ht= (w[n7→ R],[h[n7→ ev]])
Proof. Let w∈Wand h∈|∼w|such that p(w, [h]w). Then w(n)↓and thus h(en)6=⊥. Hence,
write(en, ev)(h)=(in1(∗), h[en7→ ev])
Furthermore, in1(∗)∈ |{(in1(∗), in1(∗))}| and
q([in1(∗)])(w, [h]w)(w[n7→ R],[h[en7→ ev]])
C.4 W-types
In this appendix we construct W-types in Asm(V), from the W-types in Sets. We take it as an axiom that
Sets has W-types. From this axiom, we derive an induction principle and a dependent recursion principle
for W-types in Sets (Lemmas 11 and 12). W-types in Asm(V) are then defined as a “hereditarily realized”
subset of the underlying W-type in Sets (Definition 13). From the dependent recursion principle we derive
a recursion principle on this “hereditarily realized” subset (Lemma 13), which we use to prove that the
“hereditarily realized” subset is indeed a W-type in Asm(V) (Lemma 14).
Axiom 1 Let A∈Sets and B∈Fam(Sets)A, then there exists a set Wwith an isomorphism, sup :
`a∈ABa→W∼
=W, such that for any set X∈Sets and function g: (`a∈ABa→X)→Xthere exists
a unique function h:W→X, satisfying, ∀a∈A. ∀f∈Ba→W. h(sup(a, f)) = g(a, h ◦f).
Given A∈Sets and B∈Fam(Sets)A, we use WA,B and supA,B to denote a set and isomorphism satisfying
the conditions of Axiom 1. Given a morphism gas in Axiom 1, we use fold(g) to refer to the meadiating
morphism induced by g.
Lemma 11. Let A∈Sets,B∈Fam(Sets)Aand V⊆WA,B , such that
∀a∈A. ∀f∈Ba→WA,B .(∀b∈Ba. f(b)∈V)⇒sup(a, f)∈V
then V=W.
28
Proof. Define g: (`a∈ABa→V)→Vas the function, g(a, f ) = sup(a, f ). Then by the uniqueness of
fold(sup) we have that,
fold(g) = fold(sup) = idW
and thus W⊆V.
Lemma 12. Let A∈Sets,B∈Fam(Sets)A,X∈Fam(Sets)Wand
g:Πa∈AΠf∈Ba→W(Πb∈BaXf(b))→Xsup(a,f)
there exists a unique h:Πw∈WXw, satisfying,
∀a∈A. ∀f∈Ba→W. h(sup(a, f)) = g(a, f, h ◦f)
Proof. Define g0: (Σa∈ABa→Σw∈WXw)→Σw∈WXwas follows,
g0(a, f )=(sup(a, λb ∈Ba. π1(f(b))),
g(a, λb ∈Ba. π1(f(b)), λb ∈Ba. π2(f(b))))
and let h0:W→Σw∈WXwdenote the unique function satisfying,
∀a∈A. ∀f∈Ba→W. h0(sup(a, f)) = g0(a, h0◦f) (1)
Define
V={w∈W|π1(h0(w)) = w}
then for any a∈A,f∈Ba→w, such that ∀b∈Ba. f(b)∈V, we have that
π1(h0(sup(a, f ))) = π1(g0(a, h0◦f)) = sup(a, λb ∈Ba. π1(h0◦f)(b)) = sup(a, f )
and thus V=W. Define h:Πw∈WXwas,
h(w) = π2(h0(w))
then
h(sup(a, f )) = π2(h0(sup(a, f))) = π2(g0(a, h0◦f))
=g(a, λb ∈Ba. π1(h0(f(b))), λb ∈Ba. π2(h0(f(b))))
=g(a, f, h ◦f)
To prove uniqueness, assume k:Πw∈WXwis another meadiating morphism. Then k0:W→Σw∈WXw
defined as follows,
k0(w)def
= (w, k(w))
satisfies (1):
k0(sup(a, f )) = (sup(a, f), g(a, f, k ◦f))
= (sup(a, λb ∈Ba. π1(k0(f(b)))), g(a, λb ∈Ba. π1(k0(f(b))), λb ∈Ba. π2(k0(f(b)))))
=g0(a, k0◦f)
and thus, k0=h0from which it follows that h=π2◦h0=π2◦k0=k.
Definition 13. Given X∈Asm(V)and Y∈UFam(Asm(V))X, let ˙
WX,Y denote the assembly,
˙
WX,Y = ({w∈W|X|,|Y||EW(w)6=∅}, EW)
where EW:W|X|,|Y|→P(V)denotes the unique function satisfying,
EW(sup(x, f )) = {in×(ex, ef)|ex∈EX(x)∧ ∀b∈ |Yx|.∀ey∈EYx(y). ef·ey∈EW(f(y))}
29
Lemma 13. Let X∈Asm(V),Y∈UFam(Asm(V))X,Z∈Sets and g: (`x∈|X|(|Yx| → Z)) →Z, then
there exists a unique h:|˙
WX,Y | → Z∈Sets satisfying,
∀x∈ |X|.∀f∈ |Yx| → W|X|,|Y|. EW(sup(x, f )) 6=∅ ⇒ h(sup(x, f)) = g(x, h ◦f) (2)
Proof. Define Zw={∗ | EW(w)6=∅} → Zand
g0:Σx∈|X|Σf∈|Yx|→W|X|,|Y|(Πy∈|Yx|Zf(b))→Zsup(x,f)
as follows,
g0(x∈ |X|, f ∈ |Yx| → W|X|,|Y|, r ∈Πy∈|Yx|Zf(b))(∗) = g(x, y ∈ |Yx| 7→ r(y)(∗))
which is well-defined, since if EW(sup(x, f)) 6=∅, then EW(f(y)) 6=∅for every y∈ |Yx|. There thus exists a
unique h0:Πw∈WZwsatisfying,
∀x∈ |X|.∀f∈ |Yx| → W|X|,|Y|. EW(sup(x, f )) 6=∅ ⇒ h0(sup(x, f))(∗) = g(x, y ∈ |Yx| 7→ (h0◦f)(b)(∗))
Lastly, define h:|˙
WX,Y | → Zas h(v) = h0(v)(∗), then
∀x∈ |X|.∀f∈ |Yx| → W|X|,|Y|. EW(sup(x, f )) 6=∅ ⇒ h(sup(x, f)) = g(x, h ◦f)
To show uniqueness, assume k:|˙
WX,Y | → Zsatisfying (2). Then,
k0(w∈W|X|,|Y|)def
=x∈ {∗ | EW(w)6=∅} 7→ k(w)
satisfies,
k0(sup(x, f ))(∗) = k(sup(x, f)) = g(x, k ◦f) = g(x, b ∈Ba7→ (k0◦f)(b)(∗))
for x∈ |X|and f∈ |Yx| → W|X|,|Y|, with EW(sup(x, f )) 6=∅. Hence k0=h0and thus h(v) = h0(v)(∗) =
k0(v)(∗) = k(v).
Definition 14. Given X∈Asm(V)and Y∈UFam(Asm(V))X, let PX,Y : Asm(V)→Asm(V)denote the
functor,
PX,Y (A)=({(x, f )∈Σx∈|X||Yx|→|A| | EΠ(f)6=∅}, EP)
PX,Y (f:A→B)=(x, g)7→ (x, f ◦g)
where
EP(x, f ) = {(ex, ef)|ex∈EX(x)∧ef∈EΠx(f)}
EΠx(f) = {α| ∀y∈ |Yx|.∀ey∈EYx(y). α ·ey∈EA(f(y))}
Lemma 14. Let X∈Asm(V)and Y∈UFam(Asm(V))Xthen
sup|X|,|Y|:PX,Y (˙
WX,Y )→˙
WX,Y ∈Asm(V)
realized by the identity, is an initial PX,Y -algebra.
Proof. Given h:PX,Y (A)→A∈Asm(V), define u0:|˙
WX,Y |→|A|+ 1 as the unique map satisfying,
u0(sup(x, f )) = (inl(h(x, πl◦u0◦f)) (∀y∈ |Yx|.(πl◦u0◦f)(y)↓)∧EΠx(πl◦u0◦f)6=∅
inr(∗) otherwise
30
where πl:|A|+ 1 *|A|is defined as follows,
πl(x) = (yif x=inl(y)
undef otherwise
Assume ehis a h-realizer and define αand Uas follows,
αdef
=in→(fix(λeu. λin×(ea, ef). eh·(ea, eu◦ef)))
Udef
={v∈ | ˙
WX,Y ||∃a∈ |A|. u0(a) = inl(x)∧ ∀ev∈EW(v). α ·ev∈EA(a))}
where fix is the least fixed point operator on V→V⊥.
To show that U=|˙
WX,Y |, let x∈ |X|and f:|Yx| → W|X|,|Y|such that EΠ(x, f )6=∅and assume that
∀y∈ |Yx|. f(y)∈U
then it follows by the induction hypothesis that
∀y∈ |Yx|.(πl◦u0◦f)(y)↓ ∧EΠx(πl◦u0◦f)6=∅
and hence,
u0(sup(x, f )) = inl(h(x, πl◦u0◦f))
Assume (ex, ef)∈EW(sup(x, f )). Then (ex, α ◦ef)∈EP(x, πl◦u0◦f), since by the induction hypothesis,
αrealizes πl◦u0for w∈W|X|,|Y|in the image of f. Hence, as ehrealizes h,
α·(ex, ef) = eh·(ex, α ◦ef)∈EA(h(x, πl◦u0◦f))
and thus sup(x, f)∈U.
Define u:|˙
WX,Y |→|A|as
u=πl◦u0
then
u(sup(a, f )) = h(a, u ◦f)
and uis further realized by α.
To prove uniqueness, assume v:|˙
WX,Y |→|A|satisfying v◦sup =h◦PX,Y (v). Then v0=inl ◦vsatisfies
∀x. ∀f. v0(sup(x, f)) = inl(h(x, πl◦v0◦f))
and thus by uniqueness of u0,u0=v0and thus u=v.
Definition 15. Let (X, EX)∈Asm(V)then (X, EX)is complete monotone iff
∀x, y ∈X. (∃a, b ∈V. a ∈EX(x)∧b∈EX(y)∧a≤b)⇒x=y
and
∀x∈X. ∀c: N →mV.(∀n∈N. c(n)∈EX(x)) ⇒ tnc(n)∈EX(x)
Lemma 15. Let X∈Asm(V)and Y∈UFam(Asm(V))X. If Xis complete monotone and Yxis complete
monotone for each x∈ |X|, then ˙
WX,Y is complete monotone.
31
Proof. We prove
∀w∈W|X|,|Y|.
(∀w0∈W|X|,|Y|.(∃a, b. a ∈EW(w)∧b∈EW(w0)∧a≤b)⇒w=w0)∧
(∀c:N→mV.(∀n∈N. c(n)∈EW(w)) ⇒G
n
c(n)∈EW(w))
by induction on w∈W|X|,|Y|. Assume x1∈ |X|and f1∈ |Yx| → W|X|,|Y|.
We prove the first conjunct by induction on w0∈W|X|,|Y|. Assume x2∈ |X|and f2∈ |Yx| → W|X|,|Y|,
such that there exists (ex1, ef1)∈EW(x1, f1) and (ex2, ef2)∈EW(x2, f2) with (ex1, ef1)≤(ex2, ef2). By
monotonicity of Xwe thus have that x1=x2. Furthermore, given any y∈ |Yx|and ef1·ey≤ef2·ey, where
ey∈EYx(y), and thus f1(y) = f2(y), by the induction hypothesis for w.
The second conjunct follows easily from continuity of f1realizers and the induction hypothesis.
32
